Tuesday, October 13, 2009

Increasingly, the word ‘uncertainty’ is being used in place of ‘risk’. Many of the definitions of ‘risk’ found in risk management guidelines and standards are of the type: ‘risks may represent threats as well as opportunities’. Alternatively, there are processes that deal with risks and opportunities, the two being treated as separate and distinct. This stylized representation of uncertainty limits the way risk managers record, analyse and assess risks, and constrains the relationship between the risk management process and that to which it is being applied. Risks (and opportunities) are defined in relation to what we will call the ‘base position’ (cost estimate, project schedule, operational process, etc). However, how do we tell if that base position was optimistic or pessimistic, realistic or fantastic?The answer is: we cannot, except by inference from the level of assessed risk exposure. From a strategic perspective, it is hard to understand what the results of a risk management process are telling us. Is a given project really extremely risky, or is it merely that the base cost estimate was extremely optimistic?This issue, which relates to the context in which any risk management process is implemented, is typically dealt with through phrases like ‘following good industry practice’, ‘benchmarking’, etc, to give credibility and confidence in the base position. However, since each project is unique, and given that the same set of risks can be and are looked at from different perspectives (eg a client organizationissuing a tender as against bidders competing for the work), how can we compare the risks identified by each party without understanding how optimistic or pessimistic each base position is from a strategic perspective? Can a senior decision maker be confident that the risk management process takes the optimism or pessimism of the base position into account, particularly if the personnel taking part in the risk management process are not aware of that information themselves? It is apparent, therefore, that many current risk management standards and processes are not sufficiently sophisticated to address the complexities, nuances and additional dimensions of uncertainty.